Security notice: Meltdown and Spectre

Releases and other announcements.
Please don't post support questions here
Forum rules
Section reserved for the team. You can reply to announcements here but not post new topics. Do not add support questions to threads here, use the appropriate support forum instead.
curtvaughan
Level 3
Level 3
Posts: 161
Joined: Sun Dec 21, 2014 5:54 pm
Location: Austin, Tx

Re: Security notice: Meltdown and Spectre

Post by curtvaughan »

AndyMH wrote:Wasted about three hours this evening to get back to where I started from.

Running 18.3 cinnamon on a T430 (64bit), kernel 4.4.0-53. I've got virtualbox V5.0.40 (the one in the repositories) running win7. VB works fine (except for USB ports, that did work and now don't, but a different story for a different post).


EDIT - well worked some things out, LTS = long term stable and HWE = hardware enabled, which sounds like the latest bleeding edge kernel with latest h/w drivers. Can confirm that 4.13.0.26 works, but not with virtualbox which hangs and only way out is to power off. Currently now running 4.4.0-53 generic and about to try 4.4.0-109 which is the latest showing in the 4.4 series. Note - to switch kernels on boot hold down the shift key to bring up grub and advanced options gives a list of available kernels to boot from - learning quite a lot today.

EDIT2 - now running 4.4.0-109 and it works with the version of virtualbox in the repositories (V5.0.40). Have removed 4.13.0.26 from my system. Can't say my first experience messing around with kernels has been painless.
I had exactly your experience with 4.13.0.26 and the virtualbox hang - mouse pointer just froze and had to do a cold reboot. I backed down to 4.10.0-42 and things work just fine, except I'm back to square one with no security updates. Please post if you have success with 4.4.x installs. As per another poster, I too wonder if vendor EFI/BIOS updates to fix these security issues might obviate the need to muck with the kernels. Even if so, wouldn't the problem there be that the security fix at the firmware level would only work for a specific hardware configuration?
Move from rim to hub: know the wheel.

Image
rlwa32

Re: Security notice: Meltdown and Spectre

Post by rlwa32 »

I updated to kernel 4.4.0-109 and started a Linux Mint VM under VBox 5.2.2 without any problems.
curtvaughan
Level 3
Level 3
Posts: 161
Joined: Sun Dec 21, 2014 5:54 pm
Location: Austin, Tx

Re: Security notice: Meltdown and Spectre

Post by curtvaughan »

Anyone know of a centrally located place one can get summary of issues with the various security enhanced kernel releases over the last week? In my case, 4.13.0.26 broke virtualbox 5.0.* (causing mouse freeze/crash requiring a hard reboot), and disabled Cinnamon working in conjunction with my NVIDIA graphics card(GeForce GTX 960M), all on an HP Omen laptop with 6th gen I7. Kernel 4.10.0-42 works fine in both regards, but appears not to have the applied security patch.

Two other rumors I'm curious about:

1) These vulnerabilities require local access to the computer hardware to exploit.
2) If the hardware can be fixed via BIOS/EFI hardware vendor updates, kernel fixes aren't necessary.

I have a Dell XPS13 to which I applied a BIOS level patch, so as of now, am reluctant to apply Mint/Antergos kernel updates to that machine if they break graphics and/or my vbox software. Of course, this might bite me further down the line with regressions caused by kernel updates, yes? In any case, if someone needs physical access to my laptops to exploit these vulnerabilities, perhaps the sky won't fall. I have three personal laptops potentially affected, but no one but I has physical access to these machines. I'm retired, but if I still worked with servers and desktops/laptops in my work environment I'd be very worried.
Move from rim to hub: know the wheel.

Image
buffest_overflow

Re: Security notice: Meltdown and Spectre

Post by buffest_overflow »

stavpup wrote:Make sure you enable "always show kenel updates" in the update manager :roll:
Ok, I may as well do a minor venting here.
What you suggest goes against good practice and advice for new users. This patch wasn't dealt with in the best way, imo. A jump from 4.10 stable generic to the newest build of 4.13 is kind of freaky, without an explanation, don't you think?

I was on 4.10 generic, and I see a forced kernel upgrade to 4.13 on my update manager as well as one for 4.4. These were "level 4" updates, meaning they could cause problems to a system, so I updated them one at a time. More confusingly, they were labeled as "urgency low," which made no sense to me. No mention of Spec/Melt in either of them, I had to find out the connections myself.

We were also being told to update our microcode, so I upgraded my Intel microcode from their website, but big surprise, it was a bad patch and they're all running around in terror. Then I got another microcode patch from Linux update manager, I believe .22 to .23. Spectre and Meltdown were only mentioned in the release notes of one of later Linux's patches. So I think this could have been handled with more clarity and explanation. People in #linuxmintchat were sending me to links which were not helpful, one person sent me to a link explaining how to run apt-get, as a kind of condescending smack in the face perhaps. Even though they might be far more experienced than I, they didn't have up to date info necessarily.

Linux Mint shouldn't be singled out. MS and Apple have handled this horribly as well, and Intel the most embarrassing of all. The Raspberry PI looks like a nice investment now.

And to top it all off, nothing is actually fixed.

On the other hand, I am really happy about Timeshift. I'm looking forward to flatpak being expanded, and for more recent updates to be available from the repository. Early ending to a honeymoon, but that's life.
MtnDewManiac
Level 6
Level 6
Posts: 1491
Joined: Fri Feb 22, 2013 5:18 pm
Location: United States

Re: Security notice: Meltdown and Spectre

Post by MtnDewManiac »

buffest_overflow wrote:What you suggest goes against good practice and advice for new users. This patch wasn't dealt with in the best way, imo. A jump from 4.10 stable generic to the newest build of 4.13 is kind of freaky, without an explanation, don't you think?
Imagine how I felt just a few minutes ago, when I was able to boot my computer for the first time in a month or more (electricity had been off), and saw a kernel update from "3.19.0-32" to "4.4.0-lts1" - this is a MAJOR jump in version numbers... which I had always understood to mean major differences. Thinking this to be more than a bit odd, I immediately right-clicked on the Changelog tab for this update.

At which point, I learned NOTHING AT ALL. Because this is the complete listed changelog for this - huge - jump in version numbers:
* Depend on linux-generic-lts-xenial (headers are needed for DKMS support)

I have griped before about the... occasional lack of information available via mintUpdate's Changelog tab. But, until now, kernel updates were always accompanied by actual changelog information. I do not know the technical terms for the individual parts of the version numbers (and apologize for this), so I hope I can be understood here. The "little" (decimal) part of the version number... I would run the update application and occasionally see a kernel update. Being a computer user instead of someone who actually writes the code that enables me to use the thing, I freely admit to an almost complete ignorance in terms of the "technical aspects." But - in my own way - I have tried to use a cautious approach to these kernel updates. To wit, I would hold off on a kernel update for a week or two and then see if there was a thread about people having issues with that particular update. If I saw no such thread - or only one or, perhaps, two people reporting issues that did not seem to be applicable to my hardware or software (such as the comments above about this virtual box thing that I do not, as far as I know, use) - then I would accept the update.

In the meantime, of course, I would read the changelog information. Those decimal version number changes... even if the jump was even a very small one - going from .004 to .007 (numbers chosen at random!), for example - I would see a nice and NOT SMALL list of all the changes from my current kernel to the updated one (and backward from my current one, also, but this is not really relevant here).

So. I booted my computer after (to me) a prolonged "absence," and saw not just a small/decimal jump in kernel versions but a MAJOR one (from 3.n to 4.n). This was quite a shock, and I mentally prepared myself for - what must surely be - a long session of reading a lengthy changelog.

Instead, I saw " * Depend on linux-generic-lts-xenial (headers are needed for DKMS support)."

Again, I have griped about this before, this (for all intents and purposes) lack of changelog information in mintUpdate. And when I did, if I remember correctly, there was a reply from Clem stating that they'd try to do better. Which was gratifying to read at the time, because I have always considered these things to be important (even to one as ignorant about technical things as I am!). After all, this - in my mind, at least - meant that he did not consider my griping to be unimportant/unnecessary/merely griping for no reason.

And now I see what is, in effect, a "blind update." Here, bud, have an update. It is many, many, many versions above your current one. What's different about it? Ah, well... Don't worry about it, bud.

AND THIS IS NOT AN UPDATE TO MY CALCULATOR APPLICATION, OR EVEN TO MY WORLD WIDE WEB BROWSER - IT IS A KERNEL UPDATE!!!

This is, frankly, unconscionable, IMHO.
buffest_overflow wrote:I was on 4.10 generic, and I see a forced kernel upgrade to 4.13 on my update manager as well as one for 4.4. These were "level 4" updates, meaning they could cause problems to a system
On my computer, this kernel update shows as a level FIVE update. Which is fine, because I've been running a linux OS for, IDK the exact number of years - but definitely longer than a week, lol, so I would know to be cautious even if it were listed as a level one update. To clarify: Even if this had been listed as a level one update, I would have been... concerned about the possibility of a kernel update resulting in Bad Things Occurring. And, therefore,

I would have immediately read the changelog information.

And I did.

* Depend on linux-generic-lts-xenial (headers are needed for DKMS support)

I am surprised that you did not feel the need to place a page break / pause in the middle of that, since it is such a huge amount of information/text. Yes, that is sarcasm.

Clem, this is your doctor calling. I'm afraid I have some bad news. You need emergency surgery RIGHT NOW or you'll be dead by morning because you have a severe medical condition. I'm sorry, what? What kind of surgery, and what medical condition? Right, sorry. The surgery is... an operation. And the medical issue is... Stuff. Oh, and things. Definitely things. Very, very important, those, can't forget things. So you'll be down to the hospital right away so I can perform this very important surgery? Hello? Hello?

Yes, well... Clem, ol' bud, I'm sure glad you're not a doctor. So, I suspect, are the users of your OS. I mean, well... you know. I really like your OS and have used it exclusively for years. I've always considered it to be... "crown jewel" kind of thing. And I suppose that, had you gone into medicine instead of computer programming, that you'd probably be top notch at that, too. It's just... I shudder to imagine just how many of your patients would end up feeding the worms because you could not be bothered to explain to them what the procedure (that they desperately needed) actually was!
buffest_overflow wrote:Ok, I may as well do a minor venting here.
I didn't feel that your post was "venting." For an example of venting, lol, see above.
buffest_overflow wrote:so I updated them one at a time. More confusingly, they were labeled as "urgency low," which made no sense to me. No mention of Spec/Melt in either of them, I had to find out the connections myself.

We were also being told to update our microcode, so I upgraded my Intel microcode from their website, but big surprise, it was a bad patch and they're all running around in terror. Then I got another microcode patch from Linux update manager, I believe .22 to .23. Spectre and Meltdown were only mentioned in the release notes of one of later Linux's patches. So I think this could have been handled with more clarity and explanation.
I've occasionally read threads that had more than a little "user panic." By that I mean, well, exactly that. People worrying, upset... In a figurative sense, "flopping around like chickens that have just been beheaded." It grows, snowballing, until someone is kind enough to post and, by doing so, bank the fires of panic. IIRC, xenopeek(?) has been very good about straightening us fearful users (yes, I have occasionally been one of the worried) out.

I do believe that this cluster<BLEEP> is the visible evidence of what happens when the DEVELOPERS panic. That's just a guess on my part, of course, but... I'd be more than a little surprised if it turns out that I was wrong here.

Hopefully, xenopeek (or someone equally capable) will be able to serve the Mint developers some calming words, sense, and virtual valium. Please hurry - your services are obviously desperately needed!

Regards,
MDM
Mint 18 Xfce 4.12.

If guns kill people, then pencils misspell words, cars make people drive drunk, and spoons made Rosie O'Donnell fat.
User avatar
trytip
Level 14
Level 14
Posts: 5371
Joined: Tue Jul 05, 2016 1:20 pm

Re: Security notice: Meltdown and Spectre

Post by trytip »

in my Linux Mint Mate 17.3 x64 i don't have the option to go higher than kernel 4.4.0-98, how would i upgrade the kernel
Last edited by trytip on Sat Jan 13, 2018 12:49 pm, edited 1 time in total.
Image
User avatar
slipstick
Level 6
Level 6
Posts: 1071
Joined: Sun Oct 21, 2012 9:56 pm
Location: Somewhere on the /LL0 scale

Re: Security notice: Meltdown and Spectre

Post by slipstick »

Look again - the versions above 99 are listed at the beginning of the 4.4.0 series (because 1xx comes before 9x). I am running 17.3 and found 4.4.0-109 listed just before 4.4.0-21.
In theory, theory and practice are the same. In practice, they ain't.
Retic1959

Re: Security notice: Meltdown and Spectre

Post by Retic1959 »

Oooooooh a level 4 kernel update , The sky is falling ! The sky is falling ! Let's all panic cuz using Grub to boot in to the previously installed kernel is so damd difficult right? LMFAO ! :lol:
Cosmo.
Level 24
Level 24
Posts: 22968
Joined: Sat Dec 06, 2014 7:34 am

Re: Security notice: Meltdown and Spectre

Post by Cosmo. »

Wrong!

Details would belong into a support thread, not in an announcement thread.
Mattyboy

Re: Security notice: Meltdown and Spectre

Post by Mattyboy »

Retic1959 wrote:Oooooooh a level 4 kernel update , The sky is falling ! The sky is falling ! Let's all panic cuz using Grub to boot in to the previously installed kernel is so damd difficult right? LMFAO ! :lol:
It is if you've never done it before. Knowledge isn't an entitlement to arrogance. Be nice! people come here for help!.
buffest_overflow

Re: Security notice: Meltdown and Spectre

Post by buffest_overflow »

I do believe that this cluster<BLEEP> is the visible evidence of what happens when the DEVELOPERS panic. That's just a guess on my part, of course, but... I'd be more than a little surprised if it turns out that I was wrong here.

Hopefully, xenopeek (or someone equally capable) will be able to serve the Mint developers some calming words, sense, and virtual valium. Please hurry - your services are obviously desperately needed!

Regards,
MDM
Linux Mint has dealt with this far better than Apple has. Apple has absolutely horrible security patches. They bury everything. My worst experiences with security have been with Apple (and Windows of course). I just think there could have been more clarity and consistency here, I feel like I have to tighten the reigns of trust once again, but these things happen. Black swans come and mess up everything. I read "it's Another Heartbleed" being tossed about, not in novice help forums like this one, but in hacker and security forums where people were talking about stuff that made things sound not so nice. These people are just as capable of freaking out as anyone else, or at the very least, spreading gratuitous FUD around to paint a picture that in general the entire world is doomed. And who knows, maybe it is.

And as a survivor of a nasty hack a couple years back, I try to look at what can be learned and how things can be changed. I have been forced to learn a lot of tools and contemplate even yet more potential areas of attack surface. It is exhausting. One needs to take a break and just accept that things are not predictable or controllable.
buffest_overflow

Re: Security notice: Meltdown and Spectre

Post by buffest_overflow »

Mattyboy wrote:
Retic1959 wrote:Oooooooh a level 4 kernel update , The sky is falling ! The sky is falling ! Let's all panic cuz using Grub to boot in to the previously installed kernel is so damd difficult right? LMFAO ! :lol:
It is if you've never done it before. Knowledge isn't an entitlement to arrogance. Be nice! people come here for help!.
People read the manuals, and the instructions given to them by older and experienced users, they follow the advice of Linux veterans. That's what people did. Many people aren't having a good time from this, and it has nothing to do with being stupid. Intel released FAULTY MICROCODE. How can you blame someone with 3 months of Linux experience behind their back to not be scared? Your insouciance is not only unhelpful, it's harmful. And yes, be nice.

And the "sky is falling' was coming more from ycombinator and technet then this forum, thank you.
Retic1959

Re: Security notice: Meltdown and Spectre

Post by Retic1959 »

Mattyboy wrote:
Retic1959 wrote:Oooooooh a level 4 kernel update , The sky is falling ! The sky is falling ! Let's all panic cuz using Grub to boot in to the previously installed kernel is so damd difficult right? LMFAO ! :lol:
It is if you've never done it before. Knowledge isn't an entitlement to arrogance. Be nice! people come here for help!.
Some people are coming to an announcement thread to complain about the reasons for the update not being spoonfed to them when the reasons were given on the blog , And also to rant about having to learn something about the OS they've chosen to use . Others are speculating that the devs are panicking over this , Utter nonsense IMO . I don't agree with you , sorry .
User avatar
Linux-Bill
Level 3
Level 3
Posts: 133
Joined: Mon Mar 14, 2016 4:19 pm

Re: Security notice: Meltdown and Spectre

Post by Linux-Bill »

WOW! Read this whole thing - not really sure why after I got all done with it. I just went to updates, checked what was there and installed what was needed. Took a few minutes while I went and got a cup of coffee. The end results? Everything on my dual booter works just fine and the world did not come to an end. Much the same as has been my experience with Mint over the past few years. Things just work - no need to over complicate anything. Then there is my Windows side of things - well, I won't go there - save to say it was sure not as smooth as Mint and took a lot of time.

Thanks guys - for me Mint is great!
Bill W2BLC
sikejsudjek

Re: Security notice: Meltdown and Spectre

Post by sikejsudjek »

On my three linux mint systems most of the upgrades are ok. However on my t410 laptop with nvidia graphics - kernel 4.13 will not install and gives an error for compiling the nvidia driver. Yesterday I got an update to the nvidia 340 driver and settings - this was supposed to enable a patch for kernel 4.14 and 4.15. However this once run prevents hardware acceleration with any kernel. The menu is messed up, and the desktop falls back to software rendering. Fortunately I use systemback - and just went back to a previous restore point. Tried again with a different kernel, 4.10 which normally works, and same issue.

I take it that from the blog I should move to kernel 4.13 from 4.10 as 4.10 isn't getting security updates for meltdown ? If so I can't with this nvidia graphics driver as it gives a bad module error. As this is older hardware maybe I'm better off with 4.4 ?
User avatar
trytip
Level 14
Level 14
Posts: 5371
Joined: Tue Jul 05, 2016 1:20 pm

Re: Security notice: Meltdown and Spectre

Post by trytip »

slipstick wrote:Look again - the versions above 99 are listed at the beginning of the 4.4.0 series (because 1xx comes before 9x). I am running 17.3 and found 4.4.0-109 listed just before 4.4.0-21.
thanx for the info, it didn't occur to look alpha-numeric
Image
Jim Hauser

Re: Security notice: Meltdown and Spectre

Post by Jim Hauser »

And yet I see no complaints about anyone running Linux Mint being directly affected by "Meltdown and Spectre."

I upgraded to 4.13.0-26 and made changes to my Chromium browser and system as suggested. It was not the end of the world for me. Everything is still running fine on my system.

There may be a few people having problems with it and that should be expected. I hope they can figure things out.

For me it is now a non-issue...

P.S. I have weekly backups going back 15 weeks on 2 local drives and 1 remote drive (3 copies of each backup.) That helps too...
stavpup
Level 1
Level 1
Posts: 29
Joined: Tue Jan 09, 2018 10:18 am

Re: Security notice: Meltdown and Spectre

Post by stavpup »

I think the instructions are clear:

"Linux Kernel

Please use the Update Manager to upgrade your Linux kernel.

The following versions were patched:

3.13 series (Linux Mint 17 LTS): patched in 3.13.0-139
3.16 series (LMDE): patched in 3.16.51-3+deb8u1
4.4 series (Linux Mint 17 HWE and Linux Mint 18 LTS): patched in 4.4.0-108
4.13 series (Linux Mint 18 HWE): patched in 4.13.0-25

Note: The current HWE series in Linux Mint 18 moved from 4.10 to 4.13.

Some users reported issues with early kernel updates (4.4.0-108 issues in particular were fixed since in 4.4.0-109). We strongly recommend you use Timeshift to create a system snapshot before applying the updates. Timeshift is installed by default in Linux Mint 18.3 and available in the repositories for all Linux Mint 17.x and 18.x releases."

So my kernel now is 4.4.0-108-generic (Mint 18.1)
but in order to get there you must do this :!:

Code: Select all

Make sure you enable "always show kenel updates" in the update manager :roll:
I also got the intel microcode update. Now that I got both kernel and microcode update I have unckecked the "always show kenel updates".
Until the next crisis appears, I am sticking to 4.4.0-108-generic (Mint 18.1) kernel :)

P.S.
useful link with kernel updates
https://wiki.ubuntu.com/Kernel/LTSEnablementStack
BigEasy
Level 6
Level 6
Posts: 1282
Joined: Mon Nov 24, 2014 9:17 am
Location: Chrząszczyżewoszyce, powiat Łękołody

Re: Security notice: Meltdown and Spectre

Post by BigEasy »

stavpup wrote:I also got the intel microcode update. Now that I got both kernel and microcode update
Type

Code: Select all

dmesg | grep microcode
to check is it really updated for your CPU
I have unckecked the "always show kenel updates"
It is very important! If new kernel just shown then somebody certainly mark it for installattion without thinking. :roll:
Until the next crisis appears, I am sticking to 4.4.0-108-generic (Mint 18.1) kernel :)
Crisis is far from disappearing.
Windows assumes I'm stupid but Linux demands proof of it
BigEasy
Level 6
Level 6
Posts: 1282
Joined: Mon Nov 24, 2014 9:17 am
Location: Chrząszczyżewoszyce, powiat Łękołody

Re: Security notice: Meltdown and Spectre

Post by BigEasy »

MtnDewManiac wrote:And now I see what is, in effect, a "blind update."
You also deleted old kernel and run update-grub?
To clarify: Even if this had been listed as a level one update, I would have been... concerned about the possibility of a kernel update resulting in Bad Things Occurring.
Bad thing if in GRUB menu no last working kernel.
Windows assumes I'm stupid but Linux demands proof of it
Locked

Return to “Releases & Announcements”